Contents

This configuration demonstrates how to connect a VPN Client to a PIX Firewall with the use of wildcards, mode-config, and the sysopt connection permit-ipsec command. The sysopt connection permit-ipsec command implicitly permits any packet that comes from an IPSec tunnel. This command also bypasses the checks of an associated access-list, conduit, or access-group command statement for IPSec connections.

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command .

In this section, you are presented with the information you can use to configure the features described in this document.

A user with a VPN Client connects and receives an IP address from the Internet service provider (ISP). This is replaced by an IP address from the mode-config pool on the PIX (172.16.1.1 - 172.16.1.255). The user has access to everything on the inside of the firewall, which includes networks. Users who do not run the VPN Client can connect to the web server with the help of the address provided by the static assignment. Traffic of inside users does not go through the IPSec tunnel when the user connects to the Internet.

Note: Encryption technology is subject to export controls. It is your responsibility to know the law about export of encryption technology. If you have any questions about export control, send an e-mail to export@cisco.com.

Note: In order to find additional information on the commands used in this document, refer to the Command Lookup Tool (registered customers only) .